Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118
References
Link | Resource |
---|---|
https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ | Patch Third Party Advisory |
https://csirt.divd.nl/CVE-2021-30121 | Exploit Third Party Advisory |
https://csirt.divd.nl/DIVD-2021-00011 | Patch Third Party Advisory |
Configurations
History
29 Apr 2022, 18:57
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://csirt.divd.nl/CVE-2021-30121 - Exploit, Third Party Advisory | |
References | (MISC) https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ - Patch, Third Party Advisory | |
References | (CONFIRM) https://csirt.divd.nl/DIVD-2021-00011 - Patch, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 4.0
v3 : 6.5 |
04 Apr 2022, 07:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Semi-authenticated local file inclusion The contents of arbitrary files can be returned by the webserver Example request: `https://x.x.x.x/KLC/js/Kaseya.SB.JS/js.aspx?path=C:\Kaseya\WebPages\dl.asp` A valid sessionId is required but can be easily obtained via CVE-2021-30118 |
24 Mar 2022, 15:50
Type | Values Removed | Values Added |
---|---|---|
References | (CONFIRM) https://csirt.divd.nl/CVE-2021-30121 - Third Party Advisory | |
References | (CONFIRM) https://csirt.divd.nl/DIVD-2021-00011 - Third Party Advisory |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Authenticated local file inclusion in Kaseya VSA < v9.5.6 | |
References |
|
12 Jul 2021, 16:40
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:kaseya:vsa:*:*:*:*:-:*:*:* | |
CWE | CWE-829 | |
References | (MISC) https://csirt.divd.nl/2021/07/07/Kaseya-Limited-Disclosure/ - Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : 6.5
v3 : 8.8 |
09 Jul 2021, 15:01
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-07-09 14:15
Updated : 2024-02-04 21:47
NVD link : CVE-2021-30121
Mitre link : CVE-2021-30121
CVE.ORG link : CVE-2021-30121
JSON object : View
Products Affected
kaseya
- vsa
CWE
CWE-829
Inclusion of Functionality from Untrusted Control Sphere